Followup: Cloud Security and Adoption

I produced a blog entry which created some interest on the Cloud Security topic. I produced the blog entry after reading several articles reminding me that the most common excuse i’ve heard for enterprises to avoid the cloud was the concern for “Cloud Security.”

After I wrote the article I got a number of responses. A CSO friend of mine said it was balderdash. He sent me comments to edit and soften my article to make it more “precise.” I really appreciate his comments. I also spoke on the topic to a group of architects at a major financial institution. After doing more research on this topic I have become convinced:

1) The central argument that the cloud is simply too valuable to use the security excuse is valid. In my opinion the value to enterprises using the cloud in all its manifestations is too important for most businesses to ignore or remain aloof. The followers on this will indeed be the losers.

2) There is even more to be concerned about regarding security than I realized. I believe that frequently for possibly many reasons people conspire to minimize concerns about security in general. The fact is there is an enormous amount of hacking and general security attacks on companies than I had realized.

outlines a very small number of the breakins and attacks over the last year alone. The vast majority of these attacks happened at private companies and the most serious by far in my opinion happened at private companies NOT in the cloud.

The ratio that seemed to hold is that the number of attacks at private vs cloud companies was 3:2. Since the number of private companies vastly exceeds the number of cloud companies you can see the very high percentage of all attacks are occurring at private companies. Private companies in 38 of 50 states are required by law to disclose breakins that effect individual consumers. So, it is not clear how many private companies are required to report successful security attacks, how many are required but don’t? The ratio of attacks on private vs cloud companies could be much worse than the 3:2 ratio. We just don’t know. Also, the losses were tangible at private companies with actual monies lost in some cases and very significant reputational loss as in the case of Target and others. Hundreds of millions in user email addresses, passwords, credit card numbers and other significant personal identifying information lost by private companies. There were 4 million health records lost when a hospital simply had a number of computers lifted off the campus. Hospitals don’t have the security procedures of a bank for instance for computer equipment.

This didn’t surprise me, but I guess I naively believe that even if lots of things are possible very few of those worst case scenarios ever emerge. Several hundred million email addresses means a large percentage of people have been compromised. 4 million health records is a lot. For me these numbers were shocking.

We live in an era where privacy is being attacked from all angles.

There is enormous number of hacking attempts trying to gather personal information from companies about us. On top of that is the general ineptness of most companies in the security area. The average private company patches their operating systems with known patches 25 to 60 days from the patch being available and the vulnerability being disclosed. That is atrocious because we all should be aware that when a vulnerability is announced the hackers go to work. They know it takes time for many to patch the vulnerability so most severe attacks occur within 30 days of a vulnerability disclosure. Therefore by waiting 25-60 days to patch the vulnerability the vast majority of companies are simply leaving themselves open to attack. I didn’t realize it was this bad. As I have pointed out, the incompetence of the average company simply means that whether they want to admit it or not most companies will probably have HIGHER security by moving to the cloud.

One thing that was brought up in reaction to my comments is that the focus of attention for hackers has not moved to the public cloud yet because the data, the information isn’t there yet. If private companies moved all this data to the cloud the argument is that the number of attacks on cloud companies will proliferate. This makes sense but also cloud companies are generally improving their security much more rapidly than private companies. I don’t have statistics to prove this but the fact of what we know cloud companies have done in the last year in response to the attacks that have come against cloud companies suggest that they are cognizant of the danger. My slideshare presentation provides information on this as well.

On another front it was discovered that 20% of all attacks in the last year were initiated from specific “governments.” China was mentioned a lot in attacks over the last year. Specific attacks last year were clearly a result of Chinese government attacks. (My slideshare presentation above documents the sources for these attributions.) We know the US government has been spying on us. For me this is not a surprise. I have generally heard about all the stuff that is being done that Snowden talked about at least 2 years before Snowden released it. This is public information I have been able to deduce from presentations by companies what is happening without making difficult leaps of imagination. It is clear that numerous organizations in the US are probably being paid to spy on people within or outside the US and they may have no option but to do this.

In addition to that the march of technology makes the spying easier. New technology by Google enables them to do much better at recognizing words, faces, anything digital and therfore tying digital information, phone records whatever to specific individuals. If you are someone the government is interested in finding or discovering things about from an electronic trail it is getting easier and easier for them to do that. On top of that there is a massive effort by almost every company to gather vast amounts of information about you and everything you do for the purpose of helping you either with better advertising or to somehow get you interested in whatever they want to get you interested in. This is resulting in disturbing trends where if I go look for a certain software technology or a good of some sort I will find myself bombarded by advertisements (retargeting) wherever I go on the internet who seem to know I was looking at something 3 days ago. That verges on creepy. I don’t know where to draw the line between “innocent spying,” “creepy spying,” “illegal spying,” but that is not what this blog is about.

I believe the opportunities to change our life for the better from the cloud are enormous. I believe the opportunities and benefits to participate in the cloud far outweigh the risks. In many cases companies may have to go away that can’t adjust and become leaders in adopting the cloud. So, I believe by not adopting the cloud you put your business at risk.

Some of the reasons for this are outlined in my slideshare presentation above.